In the wake of toymaker VTech’s data breach, reports have surfaced that fellow child-focused company Sanrio Co., Ltd, the maker Hello Kitty, has also been compromised by a major data breach.

A hack at SanrioTown.com, the online community for Hello Kitty fans, along with potentially hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com, has revealed details of more than 3 million user accounts, including some 186,261 minors. The breach revealed the first and last names, birth dates, genders, countries of origin, and email addresses for 3.3 million accounts. Exposed information also included lightly-protected passwords, as well as forgotten password questions and answers. The company claims the hack did not include credit card or other payment details.

Sanrio says the vulnerability has been fixed. Security researcher Chris Vickery, who informed the company of the exposed data, says users’ personal information was easily accessible online for a month and that it would have been “extremely easy for a bad guy to take the data.” Although Sanrio maintains that no data was stolen or exposed, Vickery disputes its claim, saying he has accessed the data himself from several different IP addresses.

If you or your children are Hello Kitty enthusiasts active in Sanrio’s online communities, your personal information may have been compromised. Contact Morgan & Morgan to learn more about your potential legal options.